There are five possible ways to enumerate a network through a compromised host:

1. Using material found on the machine. The hosts file or ARP cache, for example
2. Using pre-installed tools → Nmap is often pre-installed with Linux
3. Using statically compiled tools
4. Using scripting techniques
5. Using local tools through a proxy → Remarkably slow

Findings on the machine

IPs that have recently interacted with the machine

arp -a

Equally, static mappings can be interesting

cat /etc/hosts

C:\\Windows\\System32\\drivers\\etc\\hosts

Also identify any local DNS servers, which may be misconfigured

cat /etc/resolv.conf
nmcli dev show

ipconfig /all

<aside> 💡 Note: The difference between a "static" binary and a "dynamic" binary is in the compilation. Most programs use a variety of external libraries (.so files on Linux, or .dll files on Windows) -- these are referred to as "dynamic" programs. Static programs are compiled with these libraries built into the finished executable file. When we're trying to use the binary on a target system we will nearly always need a statically compiled copy of the program, as the system may not have the dependencies installed meaning that a dynamic binary would be unable to run.

</aside>

Those static versions are really useful when we haven’t full access to a machine, note that static versions of Nmap exist.

The last resort is to use the host as a proxy. It’s really slow so don’t do that except if it uses specific Nmap scripts.

Scripting

When no tools are available, scripting is still very powerful.